[cobalt-security] Re: cobalt-security digest (tmpwatch DoS)

["H.P. Stroebel" <hpstr@xxxxxxxxxxxxx>]

> Subject: [cobalt-security] tmpwatch: local DoS : fork()bomb as root (fwd)

>  Any user with write access to /tmp or /var/tmp can cause redhat 6.1 (and
> others runnng tmpwatch from cron) to stop responding, and possibly requre
> a hard reboot.

my 0.04 euro :

certainly this "unlimited" forking is not a desired behaviour, but i
don`t consider that as a high threat. if a user has shell access, he can
always "overflow" the server with processes if his resources are
unlimited (a good idea if any user has shell access). no need to use the
this tmpwatch exploit.

if a user has root access, the recommended countermeasures will not
protect the server, as then would be more simple ways to bring it to
it`s knees...

>                   *    a temporary fix   *
> # chmod 400 /etc/cron.daily/tmpwatch
> # chmod 400 /usr/sbin/tmpwatch

this would disable tmpwatch completely, as execution is not allowed.

should be 500 = executable at least for root ? it is generally a good
idea to allow execution only by root for programs that user`s don`t need
to run.

i don`t know if on the raq write access to the /tmp directories is
needed for normal users; on other boxes i have them writeable only for
root.

-- 

H. P.  Stroebel, Germany

CGI-FAQ for Raq-Newbies :
http://users.iol.it/hpstr/

A problem to some is a 'feature' to others.